Yup, Still Worried About the Midterms

[Previously: Trump Suggests the Midterms Will Be Compromised, I Am Very Worried About the Midterms, I Am (Still) Very Worried About the Midterms, and I Remain Very Worried About the Midterms.]

As I have noted many times now, the midterm election won't be fair, regardless of foreign interference, because of the Republican Party's vast and long-term voter suppression scheme, including but not limited to gerrymandering, voter purges, felon restrictions, Election Day disenfranchisement, and various erosions of voting rights.

Add to that list their total failure to securing the machines on which we vote in our elections.

(This, to be clear, is not just the fault of Republicans. Plenty of Democrats are aggressively indifferent to this urgent election integrity issue, too. But, right now, the GOP is controlling all three branches of the federal government and a majority of state legislatures, so they are the primary focus of my ire at the moment.)

Shaker GoldFishy passed along this terrifying article by Brian Varner at Wired: "I Bought Used Voting Machines on eBay for $100 Apiece; What I Found Was Alarming." Varner is "a security researcher at Symantec who started buying the machines as part of an ongoing effort to identify their vulnerabilities and strengthen election security," and his full piece is worth your time to read. I strongly encourage you to read it in its entirety, but here is an extended excerpt:
If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn't work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted.

...I reverse-engineered the machines to understand how they could be manipulated. After removing the internal hard drive, I was able to access the file structure and operating system. Since the machines were not wiped after they were used in the 2012 presidential election, I got a great deal of insight into how the machines store the votes that were cast on them. Within hours, I was able to change the candidates' names to be that of anyone I wanted. When the machine printed out the official record for the votes that were cast, it showed that the candidate's name I invented had received the most votes on that particular machine.

...By using a $15 palm-sized device, my team was able to exploit a smart chip card, allowing us to vote multiple times.

In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure. Try to imagine a major bank leaving ATMs with known vulnerabilities in service nationwide, or a healthcare provider identifying a problem in how it stores patient data, then leaving it unpatched after public outcry. It just doesn't fit with our understanding of cyber security in 2018.

Those industries are governed by regulations that outline how sensitive information and equipment must be handled. The same common-sense regulations don't exist for election systems. PCI and HIPAA are great successes that have gone a long way in protecting personally identifiable information and patient health conditions. Somehow, there is no corollary for the security of voters, their information and, most importantly, the votes they cast.

...The fact that information is stored unencrypted on hard drives simply makes no sense in the current threat environment. That they can be left on devices, unencrypted, that are then sold on the open market is malpractice.
Varner further notes that privacy is one concern among many. Like, for instance, the fact that proof of one tampered machine is all it might take to undermine faith in the entire election.
Since these machines are for sale online, individuals, precincts, or adversaries could buy them, modify them, and put them back online for sale. Envision a scenario in which foreign actors purchased these voting machines. By reverse engineering the machine like I did to exploit its weaknesses, they could compromise a small number of ballot boxes in a particular precinct.

That's the greatest fear of election security researchers: not wholesale flipping of millions of votes, which would be easy to detect, but a small, public breach of security that would sow massive distrust throughout the entire election ecosystem. If anyone can prove that the electoral process can be subverted, even in a small way, repairing the public's trust will be far costlier than implementing security measures.
This is not a new worry, but an old one, which has become even more concerning in the current environment. And I don't even know what to recommend in terms of what we can do about it, because the people in charge are as likely as anyone else to exploit these weaknesses.

Shakesville is run as a safe space. First-time commenters: Please read Shakesville's Commenting Policy and Feminism 101 Section before commenting. We also do lots of in-thread moderation, so we ask that everyone read the entirety of any thread before commenting, to ensure compliance with any in-thread moderation. Thank you.

blog comments powered by Disqus